Security Corner

“What?” You say. “That’s not news!” Well, it is when the cyber-criminals are your own government agencies. I’m just going to block quote this from Bruce Schneier’s latest Crypto-gram newsletter:

There’s a new story on the C’t Magazin website about a 5-Eyes program to infect computers around the world for use as launching pads for attacks. These are not target computers; these are innocent third parties.

The article actually talks about several government programs. HACIENDA is a GCHQ program to port-scan entire countries, looking for vulnerable computers to attack. According to the GCHQ slide from 2009, they’ve completed port scans of 27 different countries and are prepared to do more.

The point of this is to create ORBs, or Operational Relay Boxes. Basically, these are computers that sit between the attacker and the target, and are designed to obscure the true origins of an attack. Slides from the Canadian CSEC talk about how this process is being automated: “2-3 times/year, 1 day focused effort to acquire as many new ORBs as possible in as many non 5-Eyes countries as possible.” They’ve automated this process into something codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA, 24 people were able to identify “a list of 3000+ potential ORBs” in 5-8 hours. The presentation does not go on to say whether all of those computers were actually infected.

Slides from the UK’s GCHQ also talk about ORB detection, as part of a program called MUGSHOT. It, too, is happy with the automatic process: “Initial ten fold increase in Orb identification rate over manual process.” There are also NSA slides that talk about the hacking process, but there’s not much new in them.

The slides never say how many of the “potential ORBs” CSEC discovers or the computers that register positive in GCHQ’s “Orb identification” are actually infected, but they’re all stored in a database for future use. The Canadian slides talk about how some of that information was shared with the NSA.

Increasingly, innocent computers and networks are becoming collateral damage, as countries use the Internet to conduct espionage and attacks against each other. This is an example of that. Not only do these intelligence services want an insecure Internet so they can attack each other, they want an insecure Internet so they can use innocent third parties to help facilitate their attacks.

The story contains formerly TOP SECRET documents from the US, UK, and Canada. Note that Snowden is not mentioned at all in this story. Usually, if the documents the story is based on come from Snowden, the reporters say that. In this case, the reporters have said nothing about where the documents come from. I don’t know if this is an omission — these documents sure look like the sorts of things that come from the Snowden archive — or if there is yet another leaker.

No government agent or agency should be permitted to consider themselves above the law. What they are doing, you and I would be arrested and imprisoned for. I think it’s time we called these criminals to account for their crimes. Snowden did his part; it’s time for us to live up to our responsibilities as citizens and give these crooks the business.

According to ZDNet, Apple has removed the warrant canary from their transparency report, suggesting that the company has received a top secret subpoena under the Section 215 of the USA Patriot Act.

The so-called “warrant canary” was first issued in Apple’s debut transparency report. Apple and other companies are not allowed to disclose whether or not they have received a Section 215 order under the Patriot Act, because the orders are classified.

Apple, however, preemptively asserted [it] “never received an order under Section 215 of the USA Patriot Act,” in November 2013.

That text has now been removed from its latest report, suggesting Apple has in fact received such an order.

The premise of a warrant canary is that Section 215 of the Patriot Act can compel companies not to tell anyone about being served with a warrant, but that the law can’t compel a company to lie and say that it hasn’t received a warrant. This has not been tested in court yet.

It seems likely, based on the latest report, that Apple has now received at least one of the secret surveillance requests.

Dear Customer — an email not addressed directly to you using your registered name [or, with no salutation at all. Ed.].

A weird looking link that is confusing and not obviously from the source. [Here’s a good one: http://twierdzaprzemysl.za.pl/qjjaonoars/<redacted>html]

An attachment

To that list, I would add blatant grammatical errors that make it obvious the sender does not have English as a first language. Example: “It’s operated by Dropbox and safety” in a message I recently saw.

And one more thing: Were you expecting to receive that email? Even if it says it’s from someone you know, you know the types of things your friends send you. If you get lots of emails about cats from one of your friends and then start getting emails about foreign lotteries, you can assume something’s up.

The proliferation of public WiFi hotspots has certainly made it convenient for mobile users, but it has also make it riskier. You have no control over the security features implemented, if any, and you have no way of knowing what they are. Therefore, you have to be extra cautious when using public hotspots.

Do not access sensitive personal accounts such as your bank or credit cards

Ensure that any websites you visit use HTTPS and display a lock icon

Watch out for “shoulder surfing” from people and be aware that security cameras may be recording you, too

Never use a public computer kiosk, such as one in a hotel lobby or “business center” to access personal information

People are creating a “new” profile of someone and then they add the target’s friends, hoping that since you know them, you will add them. As part of the ruse, they make up some excuse as to why they had to create the new account. They will message you about winning a lot of money or some other reason, and try to get you to go to some site and sign up, etc., etc. I know someone whose account was spoofed, and I have a friend who had a relative’s account spoofed.

Facebook will immediately disable the fake account if you report it promptly. If anyone tells you they are receiving strange messages from you, investigate and make sure your account hasn’t been spoofed.

Let your friends know that they shouldn’t be receiving any friend requests from you, since you are already connected.

But until something I’m not expecting blindsides me and causes me a bit of inconvenience, I’m not going to install the bloatware on my systems. Most of it doesn’t work anyway and when users insist on clicking on scary popups because “of course I don’t want 10,000 viruses and registry errors and fix it for me now, please” all the while ignoring the warnings of their legitimate AV application, what’s the use? They bring those systems to me, all horked up with random junk and I find that they have AV software installed, but they opted in to all the adware that’s ******* up their computers anyway.

I don’t click on random links and I ignore popups. I’m a professional, of course, and I have everything backed up all the time and if I ever see a popup, I first ask, “Is this from an app I have installed?” I understand that most people have no clue and probably have no business owning and/or operating a computer.

But that’s why the cybercriminals are successful, isn’t it? Very few people are pros. Most of them will fall for anything.

My point is this: the AV companies are making money on people who they can’t help anyway. I may be wrong. Please tell me if I am. But 11 years of not running anti-malware software on my systems (I do occasionally do a safe mode scan, but I don’t run anything in the background) without a single infection on any of my systems is enough to convince me that smart computing and safe surfing practices is enough.

We security wonks constantly entreat our users not to use common words or phrases for their passwords, and certainly to never re-use passwords on more than one site. Another no-no is using keyboard patterns. The reason people do such things is that they are easy to remember. The problem is that the bad guys have all of these common poor password practices figured out and set up in their password cracking algorithms right alongside of their dictionary files and lists of hacked common passwords. With this exercise, I’m trying to get you to think randomly, not in patterns, though there is a pattern and symmetry here. Of course, no one will use this, but coming up with this stuff is just my way of having fun.

This novel approach that will give you a minimum of 10,000 secure pass phrases at your fingertips (or in your wallet or purse) using only the words. If you choose the modify it with numeric/special character options, you can get many more. If you do the math, the number of combinations of a group of characters is N^R, or the number of choices to the power of how many of those you use. In the basic method below, you have 10 choices and will use 4 of them, so you have 10,000 possible combinations. You can use this to securely write down your pass phrases (well, the aliases for your pass phrases) anywhere you want in the form of 4-digit numbers. Since no one will know what words are on your list, they can know your aliases but they won’t know your pass phrases. If you add secret complications (more about that in a minute), the number of guesses required gets astronomical (or should I say geometrical?)

First, take a piece of paper and write the numerals 0 through 9 on the left side. Then, pick 10 words that are familiar to you. You can use any common words or names that you will remember. Rules about not using pet names, kids’ names, your name, your spouse’s name, etc., don’t apply here because they will be used in a long and random combination. We all have at least ten of those. Here is my example (not to be used, of course–create your own):

0 The
1 Quick
2 Brown
3 Fox
4 Jumps
5 Over
6 The
7 Lazy
8 Red
9 Dog

Those of you who have ever taken a typing class will recognize those words and my slight alteration of it to fill the 10 slots.

Now, what’s the model year of your main ride? Mine is 2005. So, I write down 2005 as my alias and my pass phrase is BrownTheTheOver. Need another pass phrase for something? My birth year is 1953, so I use QuickDogOverFox as my pass phrase.

This method won’t win you any awards for password strength, but they’re sufficiently strong for most purposes. If you want to ramp them up, choose a numeral or special character that you insert between each word. It’s still easy to remember, but it adds 3 more characters to your phrase. I choose @, so I now have Brown@The@The@Over and Quick@Dog@Over@Fox. Visit Steve Gibson’s Password Haystacks site and check those out. My alias for those is 2005@ and 1953@.

The only thing missing here is a numeral to make the character domain consist of upper and lower case letters, numerals and special characters, so let’s add a numeral. Just put it at the beginning or the end and make your alias reflect that. Let’s use the numeral 7 and put it in front. I now have 7Brown@The@The@Over and 7Quick@Dog@Over@Fox. Your alias becomes 72005@ or 71953@ and the strength of the pass phrases goes geometrical, astronomical or what-have-you, into the hundreds of thousands of trillions of centuries to run a brute force crack.

Of course, this is entirely too much work for the average computer user, so I’ll still try “password” as my first guess, followed by “12345678,” “letmein,” and a few others.

Bruce Schneier said, “Blaming the victim is common in IT: users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on.”

So true, and something that I have come to (reluctantly) refrain from doing. Face it, people do things they shouldn’t do, or don’t do things they should. Either way, if there are no immediate consequences, no lesson is learned. Unless Lizzie’s PC completely shuts down when she clicks on an email link, she’ll continue to do it, oblivious to any strange behavior in her browser that results. And she’ll never connect those ill-advised clicks to the theft of her credit card information and subsequent fraudulent charges to her account.

These days, malware is designed to appear as if it’s supposed to be there or to make its effects blend in with the normal operation of the computer. I see this stuff every day and when it simply redirects the browser to another search site or pops up a message saying I need to speed up my computer, I find myself sympathizing with the user. When the really scary popups – “You have 10 bazillion infections!!!! Click here to clean now” – show up, I realize that no one with insufficient technological knowledge is going to recognize that for what it is. The knee-jerk-click-the-button reaction to the scary message is what the crooks depend on.

So, don’t blame the victim. Don’t chastise them for what happened. Don’t make them wrong. Do gently explain to them what happened and hope that the repair bill is sufficient experience and feedback for them to think twice the next time.

We’ve all seen it: You try to uninstall junkware and PUPs (Potentially Unwanted Programs) and they phone home to tell you how sorry they are to see you leave. That’s annoying enough, but what else is going on that you don’t know about? Besides not asking for your permission to connect in the first place, they may be:

Logging your user information such as IP, OS, browser info, etc.

Installing more junkware (toolbars, etc.) in the background without your knowledge or consent.

Installing malware such as key loggers and browser hijackers.

The only way to be sure this doesn’t happen is to disconnect from the internet when uninstalling this stuff. And the absolute best way to uninstall it safely is to reformat the hard drive and re-image the OS.

…early Wednesday morning, two security firms – Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched decryptcryptolocker.com, a site that victims can use to recover their files.

The Cryptolocker malware was first spotted in September 2013. It uses very strong encryption to lock Microsoft Office documents, photos, MP3 files, and other files that victims may value. The unfortunate victims of the malware were faced with paying a steep ransom–usually starting at a few hundred dollars in bitcoins–to the cybercrooks. Victims were given 72 hours to pay; if they didn’t make payment in time, the ransom demand increased by five times or more, often amounting to several thousand dollars.

Only about 1.3% of victims ever paid the ransom, so most of them probably lost all of their important files. Even at such a low response, considering that the number of infected systems is probably in the range of six figures, the crooks made (are probably still making) huge profits. 1300 payments of $300 USD (the minimum payment) per 100,000 infections is $390,000.

The decryptcryptolocker.com site provides a free new online service that can help victims unlock and recover files scrambled by the malware.

Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.

According to Krebs, Fox-IT was able to recover the private keys that the cybercriminals were using to run their own decryption service. The firms naturally aren’t saying much about how they got their hands on the keys, but it apparently had something to do with the crooks’ attempts to recover from Operation Tovar, “an international effort in June that sought to dismantle the infrastructure that CryptoLocker used to infect PCs.”

However they did it, I say good for them. Hit the crooks where it counts–their wallets.

About This Blog

Ken "The Geek" Harthun takes the mystery out of computer security. You’ll find valuable advice, tips, and news on how to keep your PCs, network, and data safe from attack by crackers and cybercriminals.